WebSphere MQ rules for SSLPEER values

 

This chapter tells you about the rules you use when specifying SSLPEER values and which WebSphere MQ uses for matching Distinguished Names in digital certificates. For a full description of Distinguished Names, refer to Distinguished Names.

When SSLPEER values are compared with DNs, the rules for specifying and matching attribute values are:

  1. We can use either a comma or a semicolon as a separator.

  2. Spaces before or after the separator are ignored. For example:
    CN=John Smith, O=IBM ,OU=Test , C=GB

  3. The values of attribute types CN, T, O, OU, L, ST, SP, S, C are text strings that usually include only the following:

    • Upper and lower case alphabetic characters A through Z and a through z

    • Numeric characters 0 through 9

    • The space character

    • Characters , . ; ' " ( ) / -

    To avoid conversion problems between different platforms, do not use other characters in an attribute value. Note that the attribute types, for example CN, must be in upper case.

  4. Strings containing the same alphabetical characters match irrespective of case.

  5. Spaces are not allowed between the attribute type and the = character.

  6. Optionally, we can enclose attribute values in double quotes, for example CN="John Smith". The quotes are discarded when matching values.

  7. Spaces at either end of the string are ignored unless the string is enclosed in double quotes.

  8. The comma and semicolon attribute separator characters are considered to be part of the string when enclosed in double quotes.

  9. The names of attribute types, for example CN or OU, are considered to be part of the string when enclosed in double quotes.

  10. Any of the attribute types ST, SP, and S can be used for the State or Province name.

  11. Any attribute value can have an asterisk (*) as a pattern-matching character at the beginning, the end, or in both places. The asterisk character substitutes for any number of characters at the beginning or end of the string to be matched. This enables your SSLPEER value specification to match a range of Distinguished Names. For example, OU=IBM* matches every Organizational Unit beginning with IBM, such as IBM Corporation.

    Note that the asterisk character can also be a valid character in a Distinguished Name. To obtain an exact match with an asterisk at the beginning or end of the string, the backslash escape character (\) must precede the asterisk: \*. Asterisks in the middle of the string are considered to be part of the string and do not require the backslash escape character.

  12. When multiple OU attributes are specified, all must exist and be in descending hierarchical order. For an example of this, see the information on the DEFINE CHANNEL command in “Chapter 2. The MQSC commands” in the WebSphere MQ Script (MQSC) Command Reference.

 

Parent topic:

Working with WebSphere MQ SSL support


sy12940_